Detection as an Effective Strategy for Cyber Attacks

Preventing a Cyberattack

When it comes to preventing cyberattacks, being prepared is more than half the battle. But reacting to an incident without a plan is downright dangerous. You can end up causing more harm than good that way.

Start by patching all your software to the latest version, and keep it up-to-date. Every time you update your software it introduces new barriers that criminals must overcome. Keep your endpoint threat prevention program current, too. Many SMEs still rely on employees to keep programs up-to-date on their own. Most updates can be automated, and run in the background with minimal slowdowns.

Exploits are derived from older software, even just one version ago. This is why we get so many updates—occasionally for increased functionality—but most often for data security.

I’m not a Target

Smaller companies are not immune because they have “too low a profile” to interest attackers. Typically the “no one would bother with me” attitude means that you don’t update your software regularly; that you have extremely lax rules in your Firewall; that your Wi-Fi router still uses the default factory SSID code (such as Linksys, Netgear, Belkin, hitched to the model number) the user name is still “admin”, and the password is blank or also “admin”.

You are precisely what hackers are looking for when they are staging a phishing attack. Often times, the attackers start by sending you a malicious link and attempts to take control of your internal devices when you click on the link that downloads a malicious software onto your infrastructure. If you don’t take your system security seriously, you’re just being a tool for the criminals to wield at their leisure.

I’m updated—Now what?

Before it happens you need to set policies about who gets access to which level of information, and who can perform certain actions. This is not just a policy for “workers”. It applies all the way up and down the command chain, from the warehouse custodian, right to the C-suite—in fact, particularly to the C-Suite!

The CEO and CFO have wide ranging abilities to transfer massive amounts of money. It is vitally important that one person cannot authorize a transfer of $3.1 million to Europe overnight to fulfil an “emergency” contract requirement that was sprung on them in a Spear Phishing attempt. Twice as many people approving an action results in double the likelihood of an appropriate action being taken.

Of course, once these policies are in place, it’s necessary to verify of them with department managers to assure understanding of their requirements. It’s also important to solicit feedback from these managers as processes change within the organization so that the policies remain relevant and useful.

Review your policies on a regular basis to make sure that unnecessary permissions are revoked, even as new permissions are added. Consider Sunset Rules on permissions, so that they self-expire at a specific time, or if they are not used on a regular basis.

The Attack will Come

Attacks come in four flavors: Critical, Significant, Minor, and Negligible. Critical is DDoS, Ransomware, and successful Data Theft, which requires rapid action from your Response Team. Significant refers to attempts or successes at causing damage, such as rewriting your client-facing web pages with obscenities, manifestos, or similar activities. Minor are the sort of actions that happen every day with bulk phishing attempts or system probes looking for accidentally open data ports as a way to break further into your system. Negligible refers to contained, irregular phishing attempts which are not worthy of being reported.

How to Respond

Don’t panic…seriously…just don’t. Instead have a well-rehearsed plan for this, which consists of identifying the threat, the affected areas, and then isolating them to contain the spread. If information theft is the objective, preventing outgoing internet connections may be vital, but it can often be done without cutting off dozens (or thousands) of ongoing transactions with your customers. Yes, if it is widely pervasive, you may have to shut everything down, but that is rarely the first move.

A proper plan has built-in mechanisms that spots unusual activity. It automatically informs IT response teams about the activity without human intervention.

After the Attack

Ongoing monitoring, is perfect for analyzing the attack. You can see who did what, find weaknesses in the system that can be corrected, and possibly, even isolate people to prosecute.

In the event of malicious damage, it shows you what needs to be repaired from your backups to get you back to full functionality. Once you’ve assured data integrity you can get back to work.

Your continuous monitoring also allows you to see exactly what was stolen. Unfortunately, if it affects your client base, HR & CRM need to get involved to inform your clients about the potential impact; with what they need to do to see if they’re affected; and to supply recommended actions if their data was compromised. Mostly you need a profound, sincere apology, and a list of remedial actions that you are undertaking to make sure there is never a repeat of this occurrence.

The Takeaway

This sounds like a lot of work, especially for a small to midsize business, but it can overwhelm even a large sized business, too. A Security Incident and Event Management (SIEM) & Security Operations Center (SOC) are often beyond the either the means or the capability of most SMEs. Despite increased awareness and investment in SIEM systems, these systems often beyond the skill sets of employees and they simply require too much internal manpower. Combine this with the fact that these systems don’t provide timely, accurate, and actionable information, and you have the perfect formula for getting hacked. And what’s worse is that these companies often don’t know about the hack until it’s too late.

So what are you going to do? In order to work, your plan has to detect a problem fast to minimize its impact. Building a response plan, making sure all access policies are up-to-date, training people how to identify and then respond to emergencies, and then figuring out how to clean up after an incident…it is a lot to ask.

That’s why we’ve created Blumira, an intuitive cyber security solution that detects and disrupts inevitable assaults every business will experience. Unlike traditional SIEM platforms, Blumira can respond to attacks cost effectively, without the need to deploy more security experts. Blumira efficiently collects and analyzes millions of data points, quickly identifying critical security issues in real time and defining actionable steps to stop threats. Because Blumira is cloud-based, and needs zero configuration to work, it can integrate with your existing security protocols to pinpoint threats, and send actionaly guidelines to the right person to ensure no threats slip through the cracks.

To learn more about Blumira’s threat detection solution, request a demo today.